The Internet of Things (IoT) and the Internet of Services (IoS) are two well-knownexemplars of the emerging ‘Internet variants’. These variants will be tightlyinterwoven yet specific with respect to the supporting technologies needed. Thepresent paper discusses the five variants identified as essential by the authors: IoT,IoS, Internet-of-Humans, Internet-of-Crowds, and Internet-of-Clouds. For eachvariant, a non-comprehensive set of research challenges is cited and related to thestate of the art and to ongoing projects of the lab.

An attacker who can control arbitrarily many user identities can break the security properties of most conceivable systems. This is called a Sybil attack. We present a solution to this problem that does

not require online communication with a trusted third party and that in addition preserves the privacy of honest users. Given an initial so-called Sybil-free identity domain, our proposal can be used for deriving Sybil-free unlinkable pseudonyms associated with other identity domains. The pseudonyms are self-certified and computed by the users themselves from their cryptographic long-term identities

Access control policies describe high level requirements for access control systems. Access control rule sets ideally trans-late these policies into a coherent and manageable collectionof Allow/Deny rules. Designing rule sets that reflect desired policies is a difficult and time-consuming task. The result is that rule sets are difficult to understand and manage. The goal of this paper is to provide means for obtaining usable access control rule sets, which we define as rule sets that (i) reflect the access control policy and (ii) are easy to understand and manage. In this paper, we formally define the challenges that users face when generating usable access control rule sets and provide formal tools to handle them more easily. We started our research with a pilot study in which specialists were interviewed. The objective was to list usability challenges regarding the management of access control rule sets and verify how those challenges were handled by specialists. The results of the pilot study were compared and combined with results from related work and refined into six novel, formally defined metrics that are used to measure the security and usability aspects of access control rule sets. We validated our findings with two user studies, which demonstrate that our metrics help users generate statistically significant better rule sets.

This paper tackles the problem of usability and security in access control mechanisms. A theoretical solution for this problem is presented using the combination of automaticrule learning and user interaction. The result is the interactive rule learning approach. Interactive rule learning is designed to complete attribute-based access control to generate concise rule sets even by non-expert end-users. The resulting approach leads to adaptive access control rule sets that can be used for smart products.

Nowadays the majority of users are unable toproperly configure security mechanisms mostly because theyare not usable for them. To reach the goal of having usable security mechanisms, the best solution is to minimize the amount of user interactions and simplify configuration tasks. Automation is a proper solution for minimizing the amount of user interaction. Fully automated security systems are possible for most security objectives, with the exception ofthe access control policy generation. Fully automated accesscontrol policy generation is currently not possible because individual preferences must be taken into account and, thus, requires user interaction. To address this problem we proposea mechanism that assists users to generate proper accesscontrol rule sets that reflect their individual preferences. We name this mechanism Interactive Rule Learning for AccessControl (IRL). IRL is designed to generate concise rule setsfor Attribute-Based Access Control (ABAC). The resulting approach leads to adaptive access control rule sets that can be used for so called smart products. Therefore, we first describe the requirements and metrics for usable access control rulesets for smart products. Moreover, we present the design of asecurity component which implements, among other security functionalities, our proposed IRL on ABAC. This design is currently being implemented as part of the ICT 7th Framework Programme SmartProducts of the European Commission.

The goal of this work is to reason on the complexity of the relationship between three non-functional requirements in cloud comput-ing; privacy, accountability, and transparency. We provide insights on the complexity of this relationship from the perspectives of end-users, cloud service providers, and third parties, such as auditors. We shed light onthe real and perceived conflicts between privacy, transparency, and accountability, using a formal definition of transparency and an analysis on how well a privacy-preserving transparency-enhancing tool may assist in achieving accountability. Furthermore, we highlight the importance of the privacy impact assessment process for the realisation of both transparency and accountability.

Privacy-enhancing technologies for the Smart Grid usually address either the consolidation of users’ energy consumption or the verification of billing information. The goal of this paper is to introduce iKUP, a protocol that addresses both problems simultaneously. iKUP is an efficient privacy-enhancingprotocol based on DC-Nets and Elliptic Curve Cryptography as Commitment. It covers the entire cycle of power provisioning, consumption, billing, and verification. iKUP allows: (i) utility providers to obtain a consolidated energy consumption value that relates to the consumption of a user set, (ii) utility providers to verify the correctness of this consolidated value, and (iii) the verification of the correctness of the billing information by both utility providers and users. iKUP prevents utility providers from identifying individual contributions to the consolidated value and, therefore, protects the users’ privacy. The analytical performance evaluation of iKUP is validated through simulation using as input a real-world data set with over 157 million measurements collected from 6,345 smart meters. Our results show that iKUP has a worse performance than other protocols in aggregationand decryption, which are operations that happen only once per round of measurements and, thus, have a low impactin the total protocol performance. iKUP heavily outperformsother protocols in encryption, which is the most demanded cryptographic function, has the highest impact on the overall protocol performance, and it is executed in the smart meters.

Digital societies increasingly rely on secure communication between parties. Certificate enrollment protocols are used by certificate authorities to issue public key certificates to clients. Key agreement protocols, such as Diffie-Hellman, are used to compute secret keys, using public keys as input, for establishing secure communication channels. Whenever the keys are generated by clients, the bootstrap process requires either (a) an out-of-band verification for certification of keys when those are generated by the clients themselves, or (b) a trusted server to generate both the public and secret parameters. This paper presents a novel constrained key agreement protocol, built upon a constrained Diffie-Hellman, which is used to generate a secure public-private key pair, and to set up a certification environment without disclosing the private keys. In this way, the servers can guarantee that the generated key parameters are safe, and the clients do not disclose any secret information to the servers.

In this paper, we analyze privacy-enhancing protocols for Smart Grids that are based on anonymity networks. The underlying idea behind such protocols is attributing two distinct partial identities for each consumer. One is used to send real-time information about the power consumption, and the other for transmitting the billing information. Such protocols provide sender-anonymity for the real-time information, while consolidated data is sent for billing. In this work, the privacy properties of such protocols are analyzed, and their computational efficiencyis evaluated and compared using simulation to other solutionsbased on homomorphic encryption.

This deliverable is the starting point of the activities in the NEWCOM Department 7 QoS Provision in Wireless Networks: Mobility, Security and Radio Resource Management. It provides the view of the department in terms of the objectives of the European research on Wireless Network aspects and, after developing the framework for QoS provision in wireless networks, it identifies the knowledge gaps existing in the fields of radio resource allocation, mobility management and security issues. As a result of that, the action plan for the future activities in the department is established

Reputation systems rate the contributions to participatory sensing campaigns from each user by associatinga reputation score. The reputation scores are used to weedout incorrect sensor readings. However, an adversary can de-anonmyize the users even when they use pseudonyms by linking the reputation scores associated with multiple contributions. Since the contributed readings are usually annotated with spatio-temporal information, this poses a serious breach of privacy for the users. In this paper, we address this privacy threat by proposing a framework called IncogniSense. Our system utilizes periodic pseudonyms generated using blind signature and relies on reputation transfer between these pseudonyms. The reputation transfer process has an inherent trade-off between anonymity protection and loss in reputation. We investigate by means of extensive simulations several reputation cloaking schemes that address this tradeoff differently. Our system is robust against reputation corruption and a proof-of-concept implementation demonstrates that the associated overheads are minimal.

Reputation systems are fundamental for assessing the quality of user contributions inparticipatory sensing. However, naively associating reputation scores to contributionsallows adversaries to establish links between multiple contributions and thus deanonymizeusers. We present the IncogniSense framework as a panacea to these privacythreats. IncogniSense utilizes periodic pseudonyms generated using blind signatureand relies on reputation transfer between these pseudonyms. Simulations are used toanalyze various reputation cloaking schemes that address the inherent trade-off betweenanonymity protection and loss in reputation. Our threat analysis confirms the robustnessof IncogniSense and a prototype demonstrates that associated overheads are minimal.

The impact of Social Collective Intelligent Systems (SCIS) on the individual right of privacy is discussed in this chapter under the light of the relevant privacy principles of the European Data Protection Legal Framework and the Organization for Economic Co-operation and Development (OECD) Privacy Guidelines. This chapter analyzes the impact and limits of profiling, provenance and reputation on the right of privacy and review the legal privacy protection for profiles. From the technical perspective, we discuss opportunities and challenges for designing privacy-preserving systems for SCIS concerning collectives and decentralized systems. Furthermore, we present a selection of privacy-enhancing technologies that are relevant for SCIS: anonymous credentials, transparency-enhancing tools and the PrimeLife Policy Language. Finally, we discuss how these technologies can help to enforce the main legal principles of the European Data Protection Legal Framework, and argue how provenance and reputation can be designed in a privacy preserving manner.

In this paper we describe how we designed a massive open online course (mooc) on Privacy by Design with a focus on how to achieve compliance with the eu gdpr principles and requirements in it engineering and management. This mooc aims at educating both professionals and undergraduate students, i.e., target groups with distinct educational needs and requirements, within a single course structure. We discuss why developing and publishing such a course is a timely decision and fulfills the current needs of the professional and undergraduate education. The mooc is organized in five modules, each of them with its own learning outcomes and activities. The modules focus on different aspects of the gdpr that data protection officers have to be knowledgeable about, ranging from the legal basics, to data protection impact assessment methods, and privacy-enhancing technologies. The modules were delivered using hypertext, digital content and three video production styles: slides with voice-over, talking heads and interviews. The main contribution of this work is the roadmap on how to design a highly relevant mooc on privacy by design and the gdpr aimed at an heterogeneous audience.

In this paper, we introduce a privacy-enhanced Peer Manager, which is a fundamental building block for the implementation of a privacy-preserving collective adaptive systems computing platform. The Peer Manager is a user-centered identity management platform that keeps information owned by a user private and is built upon an attribute-based privacy policy. Furthermore, this paper explores the ethical, privacy and social values aspects of collective adaptive systems and their extensive capacity to transform lives. We discuss the privacy, social and ethical issues around profiles and present their legal privacy requirements from the European legislation perspective.

In today's collaborative business environment there is a need to share information across organizational boundaries. Publish/Subscribe systems are ideal for such scenarios as they allow real-time information to be shared in an asynchronous fashion. In this work, we focus on the access control aspect. While access control in general for publish/subscribe systems has been studied before, their usage in a multi-organizational scenario leads to some novel challenges. Here a publisher might wish to enforce restrictions w.r.t. not only subscribers, but also other publishers publishing certain event types due to competitive or regulatory reasons. With different publishers and subscribers having their own preferences and restrictions, conflicts are evident w.r.t. both publishing and subscribing to specific event types. Given this, the first contribution of this work is to provide efficient conflict detection and resolution algorithms. The other important (and often ignored) aspect of large scale and evolving systems is that of efficiently handling modifications to existing policies, e.g. a rule may become invalid after a certain period of time. Our approach in handling such modifications is two-fold: (i) to maintain consistency and (ii) to automatically detect and enforce rules which could not have been enforced earlier due to conflicts. The second contribution of our work is thus to provide lifecycle management for access control rules, which is tightly coupled with the conflict detection and resolution algorithms.

Community Health Workers (CHWs) have been using Mobile Health Data Collection Systems (MDCSs) for supporting the delivery of primary healthcare and carrying out public health surveys, feeding national-level databases with families’ personal data. Such systems are used for public surveillance and to manage sensitive data (i.e., health data), so addressing the privacy issues is crucial for successfully deploying MDCSs. In this paper we present a comprehensive privacy threat analysis for MDCSs, discuss the privacy challenges and provide recommendations that are specially useful to health managers and developers. We ground our analysis on a large-scale MDCS used for primary care (GeoHealth) and a well-known Privacy Impact Assessment (PIA) methodology. The threat analysis is based on a compilation of relevant privacy threats from the literature as well as brain-storming sessions with privacy and security experts. Among the main findings, we observe that existing MDCSs do not employ adequate controls for achieving transparency and interveinability. Thus, threatening fundamental privacy principles regarded as data quality, right to access and right to object. Furthermore, it is noticeable that although there has been significant research to deal with data security issues, the attention with privacy in its multiple dimensions is prominently lacking.

Background: Community-based primary care focuses on health promotion, awareness raising, and illnesses treatment and prevention in individuals, groups, and communities. Community Health Workers (CHWs) are the leading actors in such programs, helping to bridge the gap between the population and the health system. Many mobile health (mHealth) initiatives have been undertaken to empower CHWs and improve the data collection process in the primary care, replacing archaic paper-based approaches. A special category of mHealth apps, known as mHealth Data Collection Systems (MDCSs), is often used for such tasks. These systems process highly sensitive personal health data of entire communities so that a careful consideration about privacy is paramount for any successful deployment. However, the mHealth literature still lacks methodologically rigorous analyses for privacy and data protection.

Methods: The privacy analysis follows a systematic methodology for PIAs. As a case study, we adopt the GeoHealth system, a large-scale MDCS used by CHWs in the Family Health Strategy, the Brazilian program for delivering community-based primary care. All the PIA steps were taken on the basis of discussions among the researchers (privacy and security experts). The identification of threats and controls was decided particularly on the basis of literature reviews and working group meetings among the group. Moreover, we also received feedback from specialists in primary care and software developers of other similar MDCSs in Brazil.

Results: The GeoHealth PIA is based on 8 Privacy Principles and 26 Privacy Targets derived from the European General Data Protection Regulation. Associated with that, 22 threat groups with a total of 97 subthreats and 41 recommended controls were identified. Among the main findings, we observed that privacy principles can be enhanced on existing MDCSs with controls for managing consent, transparency, intervenability, and data minimization.

Conclusions: Although there has been significant research that deals with data security issues, attention to privacy in its multiple dimensions is still lacking for MDCSs in general. New systems have the opportunity to incorporate privacy and data protection by design. Existing systems will have to address their privacy issues to comply with new and upcoming data protection regulations. However, further research is still needed to identify feasible and cost-effective solutions.

Community Health Workers (CHWs) have been using Mobile HealthData Collection Systems (MDCSs) for public health surveys, feeding the national-level databases with the families’ personal data. Since such systems are inherentlyused for public surveillance and manage sensitive data (i.e., health data), deal-ing with the privacy issues is crucial to successful deployments. In this poster wepresent the privacy challenges related to MDCSs, providing a summary speciallyimportant to health managers and developers.

Community health workers in primary care programs increasingly use Mobile Health Data Collection Systems (MDCSs) to report their activities and conduct health surveys, replacing paper-based approaches. The mHealth systems are inherently privacy invasive, thus informing individuals and obtaining their consent is important to protect their right to privacy. In this paper, we introduce an e-Consent tool tailored for MDCSs. It is developed based on the requirement analysis of consent management for data privacy and built upon the solutions of Participant-Centered Consent toolkit and Consent Receipt specification. The e-Consent solution has been evaluated in a usability study. The study results show that the design is useful for informing individuals on the nature of data processing, privacy and protection and allowing them to make informed decisions

Firewalls are network security components that allow administrators to handle incoming and outgoing traffic based on a set of rules. Such security appliances are typically the first line of defense, creating a barrier between organization’s internal network and the outside network (e.g., Internet). The process of correctly configuring a firewall is complex and error prone, and it only gets worse as the complexity of the network grows. A vulnerable firewall configuration will very likely result in major threats to the organization’s security. In this report we aim to investigate how to make administrator task of planning and implementing firewall solutions easier, from the stand points of usability and visualization. Our scientific investigation starts with the understanding of the state-of-the-art on this specific field. To do so, we conducted a Systematic Literature Review (SLR), a strict methodology to plan a literature review, to gather relevant information, to synthesize and compare approaches, and to report findings. During the initial search process thousands of papers were screened, leading us to 125 papers carefully selected for further readings. In the secondary study, ten relevant works were identified and assessed, in which authors tackled the issues of usability and visualization for Firewalls and Personal Firewalls. Among the main findings, we perceive that there is a lack (or even absence) of user studies to validate the proposed models. This leads us to a series of unwarranted solutions, that need to be prototyped and tested with real users. We also see an huge opportunity for integrative approaches, that could combine firewall research areas, such as automatic anomaly detection, advisory systems, and varying visualization schemes.

We report preliminary findings from an online study, identifying people’s attitudes toward privacy issues. The results confirm some of the previous research findings regarding demographic and contextual dependencies of privacy perceptions. The research presents a new scale for measuring attitudes to privacy issues that is based on privacy harms. The results suggest that people consider privacy harms in generic and simplified terms, rather than as separated issues suggested in legal research. This research identified major factors that people tend to think of while considering online privacy.

Karlstad University, Faculty of Arts and Social Sciences (starting 2013), Service Research Center (from 2013). Karlstad University, Faculty of Arts and Social Sciences (starting 2013), Department of Social and Psychological Studies (from 2013).

The increased popularity of interconnected devices, which we rely on when performing day-to-day activities expose people to various privacy harms. This paper presents findings from the empirical investigation of privacy concerns. The study revealed that people, regardless of their diversity, perceive privacy harms as generic and simplified models, not individually as suggested in Solove’s framework. Additionally, the results identified differences in privacy concerns related to information disclosure, protection behavior, and demographics. The findings may benefit privacy and system designers, ensuring that policies and digital systems match people’s privacy expectations, decreasing risks and harms.

Wireless Sensor Networks (WSNs) are becoming widespread and pervasive, even in context where dependability and security of the deployed network could be crucial to critical and life-saving tasks. Due to the evolution rush experienced in past few years, several security aspects need to be further investigated. In this paper, we present a survey of the main vulnerabilities of WSNs and propose a specific taxonomy. This is a first step towards the definition of a formal security evaluation framework for WSNs, as we introduce in the end of this paper

This paper presents experiences from a vulnerability analysis course especially developed for practitioners. The described course is a compact three days course initially aimed to educate practitioners

in the process of ¯nding security weaknesses in their own products. The paper gives an overview of the course and presents results from two different types of course evaluations. One was done on-site at the last day of the course, while the other was made 3{18 months after the participants

This paper presents a vulnerability analysis course especially developed for practitioners and experiences gained from it. The described course is a compact three days course initially aimed to educate practitioners in the process of finding security weaknesses in their own products. After giving an overview of the course, the paper presents results from two different types of course evaluations. One evaluation was done on-site at the last day of the course, while the other was made 3-18 months after the participants had finished the course. Conclusions drawn from it with regard to recommended content for vulnerability analysis courses for practitioners are also provided

In ad hoc networks every device is responsible for its own basic computer services, including packet routing, data forwarding, security, and privacy. Most of the protocols used in wired networks are not suitable for ad hoc networks, since they were designed for static environments with defined borders and highly specialized devices, such as routers, authentication servers, and firewalls.

This dissertation concentrates on the achievement of privacy-friendly identifiersand anonymous communication in ad hoc networks. In particular, the objective is to offer means for better anonymous communication in such networks. Two research questions were formulated to address the objective:

II. How to provide anonymous communication in ad hoc networks and whatis the performance cost in relation to the obtained degree of anonymity?

To address the first research question we studied and classified the security and privacy threats, enhancements, and requirements in ad hoc networks and analyzed the need for privacy and identification. The analysis led us to the relationship between security, identification, and anonymous communication that we refer to as the “identity-anonymity paradox”. We further identifiedthe requirements for privacy-friendly identifiers and proposed the self-certified Sybil-free pseudonyms to address such requirements.

The second research question was addressed with the design and implementation of the Chameleon protocol, an anonymous communication mechanism for ad hoc networks. The performance of Chameleon was evaluated using a network simulator. The results were used to find out the trade-off between anonymity and performance in terms of the expected end-to-end delay.

The solutions proposed in this dissertation are important steps towards the achievement of better anonymous communications in ad hoc networks andcomplement other mechanisms required to prevent leaks of personal data.

Identifying trustable devices and establishing secure tunnels between them in ad hoc network environments is a difficult task because it has to be quick, inexpensive and secure. Certificate-based authentication mechanisms are too expensive for small devices. The use of such mechanisms must be controlled and reserved for special situations, (e.g. banking applications) but not for everyday transactions. In addition, indiscriminate use of asymmetric ciphering and certificate-based authentication is a shortcut to battery exhaustion attacks. This paper describes a lightweight distributed group authentication mechanism suitable for ad hoc network devices requirements. We introduce the concept of group authentication, which target is not the individual identification of devices, but to verify if a device belongs or does not belong to a trusted group. The proposed mechanism verifies if devices have a pre-shared secret and sets new cipher keys each time it runs. This mechanism requires loose synchronization among the devices real time clocks to thwart replay attacks. It also mitigates the effects of battery exhaustion attacks due to its lightness

Until the last decade, the process of gathering data to detect violations of human rights was usually a difficult and slow process since collection of testimonials from victims and witnesses depended on the physical contact with the local population where the abuses were taking place. However, the seemingly ubiquitous presence of mobile telephones and future prospects of the fast expansion of such networks especially into the poorest parts of the world created a new and fast communication channel for presenting testimonials of abuses of human rights. Nevertheless, new communication channels also impose new challenges to protect the users’ privacy. The right to privacy is fundamental for individuals reporting violations of human rights without the fear of persecution or harassment by other individuals or abusive governments. This chapter outlines the challenges involved in protecting users’ privacy in such scenarios, and list possible sources of identification in a mobile network that could be used to identify the sender of a message. Then, we elicit privacy requirements that need to be met and show how privacy-enhancing technologies can be used to fulfill these requirements.

This paper presents a vulnerability analysis course developed for system testers and the experiences gained from it. The aim of this course is to educate testers in the process of finding security weaknesses in products. It covers the four steps of a vulnerability analysis: reconnaissance, research and planning, mounting attacks, and assessment. The paper describes in detail ten different laboratory assignments conducted within the course. For each experiment, an overview and a description on how to run the assignment together with the expected knowledge obtained are presented. In addition, a course evaluation and lessons learned are also provided

Accurate and trusted identifiers are a centerpiece for any security architecture. Protecting against Sybil attacks in a privacy-friendly manner is a non-trivial problem in wireless infrastructureless networks, such as mobile ad hoc networks. In this paper, we introduce self-certified Sybil-free pseudonyms as a means to provide privacy-friendly Sybil-freeness without requiring continuous online availability of a trusted

third party. These pseudonyms are self-certified and computed by the users themselves from their cryptographic longterm identities. Contrary to identity certificates, we preserve location privacy and improve protection against some notorious attacks on anonymous communication systems

This paper presents a solution for the problem of merging privacy-friendly identifiers with trust information without support or assistance from central authorities during the operation phase. Trust information is dynamic and associated to the pseudonyms. Our solution is constructed using role-based pseudonyms that are associated to an arbitrary number of different contexts. Moreover, the presented scheme provides inherent detection and mitigation of Sybil attacks. Finally, we present an attacker model and evaluate the security and privacy properties and robustness of our solution

This paper describes a trust based security architecture for small/medium-sized mobile ad hoc networks. We designed and implemented a security architecture that extends the traditional PKI model, assigning variable trust values to digital certificates and issuing credentials to grant access to network services. Trust values are not static; they vary during regular network operation as network users provoke security incidents. Depending on the seriousness of the incidents the trust value associated to the offenders certificate will vary. Eventually, a series of security incidents may end up with the certificate revocation. We also developed a security framework for designing secure applications and built prototypes to test and validate our architecture. We considered service-oriented ad hoc networks, where every mobile device is classified as service providers or service users

and privacy-friendly provisioning in wireless mesh network environments. We present a set of non-functional requirements for a privacyfriendly

identity management (IdM) system suitable for wireless mesh networks and derive another set of security and privacy properties for digital identifiers to be used in such networks. Later, we compare two existing

identifiers, anonymous attribute certificates and anonymous credentials, and verify if any of those conforms to our set of defined properties. A business model and some business cases are presented to support

and justify the need for a privacy-friendly IdM system not only from the security and privacy perspective, but also from a business-enabler perspective

Identity Depoyment and Management in Wireless Mesh Networks2008In: The Future of Identity in the Information Society: Proceedings of the Third IFIP WG 9.2, 9.6/11.6, 11.7/FIDIS International Summer School on The Future of Identity in the Information Society, Karlstad University, Sweden, August 4–10, 2007, Springer-Verlag New York, 2008, 1, p. 223-233Chapter in book (Refereed)

Abstract [en]

This paper introduces the problem of combining security and privacy-friendly provisioning in wireless mesh network environments. We present a set of non-functional requirements for a privacy-friendly identity management (IdM) system suitable for wireless mesh networks and derive another set of security and privacy properties for digital identifiers to be used in such networks. Later, we compare two existing identifiers, anonymous attribute certificates and anonymous credentials, and verify if any of those conforms to our set of defined properties. A business model and some business cases are presented to support and justify the need for a privacy-friendly IdM system not only from the security and privacy perspective, but also from a business-enabler perspective.

The telecommunication industry has been successfulin turning the Internet into a mobile service and stimulating the creation of a new set of networked, remote services. In this paper we argue that embracing cloud computing solutions is fundamental for the telecommunication industry to remain competitive. However, there are legal, regulatory, business, marketrelated and technical challenges that must be considered. In this paper we list such challenges and define a set of privacy, security and trust requirements that must be taken into account before cloud computing solutions can be fully integrated and deployed by telecommunication providers.

Log audits are the technical means to retrospectively reconstruct and analyze system activities for determining if the system events are in accordance with the rules. In the case of privacy compliance, compliance by detection approaches are promoted for achieving data protection obligations such as accountability and transparency. However significant challenges remain to fulfill privacy requirements through these approaches. This paper presents a systematic literature review that reveals the theoretical foundations of the state-of-art detective approaches for privacy compliance. We developed a taxonomy based on the technical design describing the contextual relationships of the existing solutions. The technical designs of the existing privacy detection solutions are primarily classified into privacy misuse detection and privacy anomaly detection. However, the design principles of these solutions are, to validate need-to-know and access control obligations hence the state-of-art privacy compliance validation mechanisms focus on usage limitations and accountability. The privacy compliance guarantee they provide is subtle when compared to the requirements arising from privacy regulations and data protection obligations.

The topics of trust and privacy are morerelevant to users of online communities than ever before. Trust models provide excellent means for supporting users in their decision making process. However, those models require an exchange of informationbetween users, which can pose a threat to the users' privacy. In this paper, we present a novel approach fora privacy preserving computation of trust. Besides preserving the privacy of the recommenders by exchanging and aggregating recommendations under encryption, the proposed approach is the first that enables the trusting entities to learn about the trustworthiness oftheir recommenders at the same time. This is achievedby linking the minimum amount of information thatis required for the learning process to the actual recommendation and by using zero-knowledge proofs forassuring the correctness of this additional information.